Mason Initiatives: Efficiency & Effectiveness Enterprise Risk Management Beth Brock, Associate VP & Controller George Mason University May 21, 2010 Where Innovation Is Tradition 1 Agenda Efficiency & Effectiveness (E&E) • How we got started and the process • Where we are now, observations, questions Enterprise Risk Management (ERM) • Overview • How we got started and the process • Where we are now, survey, questions Where Innovation Is Tradition 2 E&E Initiative • Late 2010 - some members of BOV requested • All administrative functions in scope; academics excluded • Spring 2011 - explored big firm and boutique/trade assn approaches Where Innovation Is Tradition 3 E&E Study Advice Do not underestimate: • Disruption in workplace • Time and effort to do properly • Impact on employee moral Expect to make an investment Where Innovation Is Tradition 4 E&E Evolution Issued RFP for benchmarking services in seven administrative areas: • Auxiliaries & Affiliated Entities • Facilities • Information Technology • Purchasing • Enrollment Services • Human Resources • Accounting & Finance Where Innovation Is Tradition 5 RFP for Benchmarking Services • Selection criteria emphasized higher ed experience, recommended benchmarks required • Goal - inform a decision on areas for E&E review • Search committee: Controller; Director IA&MS; Fiscal Projects Director • Two firms selected for oral presentations • Senior VP and Chief of Staff attended orals Where Innovation Is Tradition 6 Benchmarking Project Huron Consulting selected for 3-4 month project: • Reviewed data on budgets and staffing • Interviewed unit heads • Confirmed benchmarks • Performed benchmarking and analysis • Delivered final report – functioning efficiently and effectively • Discussing next phase for some opportunities Where Innovation Is Tradition 7 Efficiency & Effectiveness Observations and Questions Where Innovation Is Tradition 8 ERM Defined Enterprise Risk Management (ERM) is generally defined as: a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives1. 1Standard ERM Model content adapted from: Committee of Sponsoring Organizations of the Treadway Commission Where Innovation Is Tradition 9 ERM Framework Categorization of risks: • Strategic – organizational goals • Operations – executing objectives • Financial/Reporting – safeguarding assets • Compliance – adherence with laws and regs. • Reputational – public image • Cultural – character of university and personnel Where Innovation Is Tradition 10 ERM Initiative at Mason • Late 2009 - BOV interested in risks other than financial risks • Spring 2010 - Controller’s office and IA&MS collaborated to survey approx. 80 unit heads • Responses reviewed, consolidated, reviewed again, 32 items presented to BOV Where Innovation Is Tradition 11 ERM Evolution • Funding for next steps in FY11 budget • Issued RFP for assistance with designing a sustainable ERM program • Responses from 14 firms; orals from 5 • Sr. VP and Chief of Staff attended orals Where Innovation Is Tradition 12 ERM Project Huron Consulting selected late 2010 Extensive data requests: Org charts, audit reports, draft audit findings, budgets, IA&MS work plans, list of affiliates, strategic and/or business plans for IT, research, student, finance, President’s initiatives, ERM work to date Where Innovation Is Tradition 13 Huron Phase I • • • • Evaluated data Met with about 25 unit heads Identified common risks at other institutions Assigned one or more of 6 framework categories • Assigned functional area: facilities, safety, IT, academic, research, fiscal, HR, etc. Where Innovation Is Tradition 14 Assigning Risk Factors Evaluated each risk using five factors: 1. External environment – e.g., federal regs 2. Reputational risk – level of public visibility 3. Financial exposure – e.g., budget, penalties 4. Vulnerability – likelihood of occurrence 5. Internal controls risk assessment Where Innovation Is Tradition 15 Ranking our Risks • Used the collective high, medium, low scores for each factor to assign a relative impact score to each • 40 risks prioritized as highest, high, medium • Eleven highest priority include fraud, research compliance, succession planning • Phase I deliverable – modified risk inventory Where Innovation Is Tradition 16 ERM Implementation Plan • • • • Huron phase 2 deliverables: Recommended organizational structure Reviewed policies, provided gap analysis Provided executive level reporting format (heat map) • Provided risk mitigation strategy guidance Where Innovation Is Tradition 17 Hiring a Chief Risk Officer • New admin. faculty position, reporting to Sr. VP • Advertised late November 2011 - late January 2012 • Committee: Controller, Director IA&MS, Projects Director, Assoc. Dean College of Science • About 45 applicants, 3 selected for interview • Reopened search April 2012 Where Innovation Is Tradition 18 Interim Efforts • Applying the committee-based organizational model • Functional managers appointed to committee • Will develop mitigation strategies for highest priority risks • Will update risk inventory, determine factors for assessing relative degrees of risk Where Innovation Is Tradition 19 Audience Survey Question #1 Q: How has your institution’s approach to risk management changed over the past two years? 1. Significantly increased time and resources devoted to risk management 2. Somewhat increased time and resources devoted 3. Made few or no changes to risk-mgmt approach 4. Decreased time and resources devoted Where Innovation Is Tradition 20 Survey by CFO Magazine Q#1 Where Innovation Is Tradition 21 Audience Survey Question #2 Q: Who in your institution is most responsible for risk oversight? 1. CFO 5. Board of Visitors 2. President 6. Audit Committee 3. Risk committee 7. Director, Internal Audit 4. CRO Where Innovation Is Tradition 22 Survey by CFO Magazine Q#2 Where Innovation Is Tradition 23 Audience Survey Question #3 Q: Which would you say is the single biggest impediment to improved risk management within your institution? 1. 2. 3. 4. Commitment of time/resources 5. N/A, adequate risk mgmt Internal expertise 6. Implement. methodology No clear mandate from top 7. Lack of IT system to Organizational structure address risk mgmt. Where Innovation Is Tradition 24 Survey by CFO Magazine Q#3 Where Innovation Is Tradition 25 Enterprise Risk Management Observations and Questions Contact information: Beth Brock ebrock1@gmu.edu 703-993-2660 Where Innovation Is Tradition 26